At CISO London 2021, our panel of industry experts discussed how CISOs should approach the threat of ransomware in the coming year
In the United States, the Cybersecurity and Infrastructure Security Agency (CISA) recently reported a 62% increase in year-on-year ransomware complaints between January and July 31, 2021.
Meanwhile, in the UK, Jeremy Fleming, the head of the UK intelligence agency GCHQ disclosed to The Guardian that the number of ransomware attacks on British institutions has doubled in the past year.
At CISO London, held at the Royal Horseguards Hotel in London on October 19, 2021, we convened a world-leading panel of experts to discuss how CISOs should approach the continued evolution of ransomware in 2022.
- Jules Pagna Disso, Group Head of Cyber Risk Intelligence and Insider Technology Risk, BNP Paribas
- Goher Mohammad, Head of Infosec, L&Q
- Jon Gilbert, former CISO, Department for Education
Ransomware: The State of Play
As we have discussed previously, there is no silver bullet to prevent a ransomware attack. As the former CISO for the Department of Education Jon Gilbert noted, whether you are targeted is out of your control. What you can do is prepare.
“It’s going to be somebody else’s choice, whether or not you are going to be targeted,” Gilbert said. “What we’ve seen in the sector is all the preparedness of [organizations]. Those who are prepared are much more able to deal with the outcomes.”
And while many successful attacks have been a result of email phishing or infected files, the panel observed that cybercriminals are taking advantage of hybrid working practices to launch attacks from unexpected places.
“[We] observed that the volume of attacks started increasing not necessarily against the company directly but targeting people working from home,” said BNP Paribas Group Head of Cyber Risk Intelligence and Insider Technology Risk Jules Pagna Disso.
For an attacker, Pagna Disso explained, even a poorly configured home printer network might be enough to gain full remote access to your computer.
“There were many people who did not have the correct setup to prevent an attack [at home]. If your computer at home allows you to print on your home network, it means that somebody in your home network can fully control your computer,” he said.
“[In terms of] extreme cases, we’ve seen CCTV networks being targeted and that’s been the route into systems,” Gilbert added.
He continued: “We’ve seen a lot of attacks come through from email. But I think we also need to observe that it’s not just email and personnel that are being attacked here, it’s also some of the traditional vulnerabilities as well.”
The Evolving Role of Cyber Insurance
The immediate costs of a ransomware attack can pose an existential threat to businesses, especially for those who deal with regulated data.
Cyber insurance is a way for businesses to recover quickly from an attack. It offers ready access to funds and may offer forensic and legal support, as well as other benefits.
“Over the last 18 months, the educational establishments that have had cyber insurance in place have done the best without a shadow of a doubt,” said Gilbert. “However, we’re also now beginning to see a significant hike in premiums. And we’re also seeing the refusal of providing coverage.”
If premiums rise and coverage is more difficult to acquire, then this could make ransoms more difficult for businesses to pay. Although Gilbert cautioned against reading too much into what this might mean for the industry.
“Trying to second guess the impact it’s going to have; I think is a little bit hard. It may reduce the economic gain [for criminals] because I think where we are seeing a lot of the ransomware being paid, it’s coming from the insurance,” Gilbert said. “And if that is changing, it’s going to change the dynamics.”
Another factor for CISOs to consider is the extent to which insurers align with regulatory structures, especially if there may be additional steps required to meet the requirements of the insurers.
“I don’t personally think [cyber insurance] is worth the paper it’s written on, purely because it’s disconnected. They don’t align to the ISO 27001 standard or NIST, they have their own various flavors of it,” said L&Q Head of Infosec Goher Mohammad.
He continues: “And that’s an issue because if you’re an organization that ensures that you are compliant to a standard, and your cyber insurance is saying that you need to do all these other things, where do you go?”
However, as Mohammad makes clear, organizations that decide not to get cyber insurance should have an alternative plan in place to mitigate the organizational risk.
“I think it’s really important that you have that backup plan there, should you need it. And that can come in different forms, cyber insurance being one of them, but you have to weigh that up,” he concluded.
Will Regulating Cryptocurrencies Defang Ransomware Groups?
Arguably, the growth of cryptocurrencies like Bitcoin and Ethereum was essential to the global ransomware boom.
If that is true, could the regulation of cryptocurrencies be the key to holding criminal ransomware gangs to account?
The EU is already taking steps to make cryptocurrency transactions easier to trace. Proposed legislation from the bloc would require cryptocurrency exchanges to identify their customers, bringing them in line with rules already in place for other financial institutions.
“The pressure [to regulate] comes from wanting to protect people who invest in cryptocurrencies and wanting to stop criminals who use cryptocurrencies to easily get the money out,” said Pagna Disso. “[If this happens,] I think ransomware is going to change. It’s going to have a big impact.”
Other members of the panel were not entirely convinced.
“Criminals will find different ways. If it’s not cryptocurrency it’s going to go back to bags of money, or it’s going to be gold,” Mohammad quipped.
“Will it change? Most likely, yes. I think the question is, what does it change to,” added Gilbert. “Criminals always be criminals. You will always have vulnerabilities. We just need to manage what the next thing is going to be.”